Freshly discovered bug in OpenPGP.js undermines whole point of encrypted comms www.theregister.com/2025/05/2…

Security researchers are sounding the alarm over a fresh flaw in the JavaScript implementation of OpenPGP (OpenPGP.js) that allows both signed and encrypted messages to be spoofed.

Discovered by Codean Labs' Edoardo Geraci and Thomas Rinsma, the vulnerability essentially undermines the core purpose of using public key cryptography to secure communications.

Tracked as CVE-2025-47934 (8.7 – high), the vulnerability stems from the openpgp.verify and openpgp.decrypt functions. The advisory posted to the library’s GitHub repo states that a maliciously modified message can be passed to one of these functions and return a result indicating a valid signature without actually being signed.

The researchers said a full write-up of the vulnerability, complete with a proof of concept (PoC) exploit, is “coming soon.” It’s common practice to delay disclosing PoCs to allow users time to patch affected products.